Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is an on-going, ever changing, and increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service, and so forth.
Security systems often employ security risk-management tools, i.e. “scanners,” to search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses. Further, [0] scanners are used for content filtering to enforce an organization's operational policies, i.e. detecting harassing or pornographic content, junk e-mails, misinformation (virus hoaxes), etc.
In most security systems, data is scanned at each entry point into a system. However, in such systems, no communication takes place between the various entry points when a security event occurs. At most, the event is logged in some central database. Thus, an attack that breaches one entry point would also be able to breach all entry points (assuming the same scanning techniques are employed at each point), and can infect any other machine on the network. What is needed is collaboration between network resources so that a resource being attacked can transmit information about the attack to other resources for containing the outbreak and preventing similar attacks at other points in the network.